CISOs offer insights into patch management strategies

Keeping software up to date without disrupting care delivery requires a plan for regular patching – and responding to emergency alerts when necessary.

It's an inconvenient truth that much of healthcare still runs on legacy software. Whether it's operating systems or medical devices, the security implications of depending on vulnerable and unsupported technologies are serious, putting HIPAA compliance and patient safety at risk.

Regular HIMSS cybersecurity reports give detailed insights into new vulnerabilities and offer advice and resources for threat mitigation. And thankfully, most vendors are proactive when it comes to pushing out updates and issuing new patches for the whack-a-mole game of cyber defense.

It's a big challenge, of course, to keeping software up-to-date and devices performing safely without disrupting clinical workflows and patient care. But the safety risks associated with unsecured medical devices are too big not to get patch management strategies right.

Should it be performed on a specific cycle, or by prioritized by severity of the flaw? How to implement a routine patching schedule while also allowing for surprises, such as important alert from the Department of Homeland Security? Should vulnerable systems be segmented from the network until patches are applied? How should hospitals reallocate IT resources to ensure continuity of care?

We spoke to three hospital chief information security officers to get their advice on how to prioritize patching while minimizing disruptions to care.

Assess vulnerabilities to set response process

"We have a pretty aggressive patch management cycle in our organization which does take into account the severity of the flaw as well as the potential risk to the organization," said Anahi Santiago, CISO at Wilmington, Delaware-based Christiana Care Health System.

"What I mean in terms of risk is that in addition to the severity score that a vendor applies to any particular patch (CVSS rating), we also take into account whether the affected vulnerability has an active exploit available in the wild. To that end we may rank a 'medium or low severity' patch as high or severe, and prioritize accordingly."

To allow for anomalies – government or industry alerts, or other zero-day events – Christiana Care has a response process in places, said Santiago.

"Those threats are reviewed on a case by case basis and acted upon outside of the patch cycles. Based on the risk to the organization they are expedited accordingly and applied outside of the regular schedule."

There are certain times where a patch may not be able to be applied in an expedited manner, she said. "This comes up in the medical device space more often than in any other technology area. In those situations, we work with the vendor to identify compensating controls to lower the risk."

That's when quarantining a specific tool from the rest of the network might come into play, for instance, as well as "turning off ports or services, removing access to and from the internet, among others," she said. "We also apply pressure on those vendors to test and release the patch for implementation."

Above all, patient safety and quality of care are the guiding principles for Christiana Care's infosec efforts, said Santiago.

"We work very closely with the business and our clinicians to understand the impact of the security decisions that we make to ensure that they are not disruptive to patient care," she said. "This includes looking at alternative care tools or mechanisms to ensure that our patients are not negatively affected."

Smart planning is key to avoiding impediments to care

Heather Roszkowski, CISO at University of Vermont Medical Center, says her health system handles patching differently, depending on the situation. Some occurs on a rotating cycle, and other patches are prioritized according to the severity of a given vulnerability.

"We have a general plan to test and deploy patches within a certain amount of time after the patch is released," said Roszkowski. "If a critical vulnerability impacts our network or devices and a critical patch is released for it, then we may opt to patch outside of that normal cycle.

"The key," she said, "is to have a plan. We all know critical patches will come at some point, we just don't know when. Have a plan to deal with them when they come."

For instance, Cris Ewell, CISO at Seattle-based UW Medicine, said the health system does general patching on a monthly basis, "with the expectation that a critical patch may need to be applied out of cycle."

UW has a threat detection team that fields incoming intelligence and alerts from partner organizations such as NH-ISAC and DHS, he said – which then delivers a "risk analysis for us to better determine potential mitigation steps."

Roszkowski said her team seeks to patch vulnerable systems as quickly as possible – but if that's not doable for whatever reason, "we will look at other ways to mitigate the risk – one such way is to segment from the network or from the internet."

"We also have a development and test environments that are used to test patching before applying to clinical related devices," he said. "When an immediate need is identified, we then work with the same teams to determine the best solution based on the criticality and risk to the organization. For example, we may implement compensating controls until we can apply the specific patch."

There's no question that patching presents a challenge for clinical workflow and the general process of care delivery.

That's why, when it comes to avoiding disruptions to care, "it's important to understand what applications are critical to the organization," said Roszkowski. "Maybe these apps already have additional layers of protection. Either way, this is why it is important to have a business continuity plan to keep operations running when the technology is impacted."

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.